-/* $OpenBSD: gss-serv.c,v 1.1 2003/08/22 10:56:09 markus Exp $ */
+/* $OpenBSD: gss-serv.c,v 1.13 2005/10/13 22:24:31 stevesk Exp $ */
/*
* Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
#ifdef GSSAPI
#include "bufaux.h"
-#include "compat.h"
#include "auth.h"
#include "log.h"
#include "channels.h"
#include "session.h"
#include "servconf.h"
-#include "monitor_wrap.h"
#include "xmalloc.h"
#include "getput.h"
#include "ssh-gss.h"
-extern ServerOptions options;
-
static ssh_gssapi_client gssapi_client =
{ GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,
GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL}};
&gssapi_null_mech,
};
-/* Unpriviledged */
+/* Unprivileged */
void
ssh_gssapi_supported_oids(gss_OID_set *oidset)
{
* oid
* credentials (from ssh_gssapi_acquire_cred)
*/
-/* Priviledged */
+/* Privileged */
OM_uint32
ssh_gssapi_accept_ctx(Gssctxt *ctx, gss_buffer_desc *recv_tok,
gss_buffer_desc *send_tok, OM_uint32 *flags)
static OM_uint32
ssh_gssapi_parse_ename(Gssctxt *ctx, gss_buffer_t ename, gss_buffer_t name)
{
- char *tok;
+ u_char *tok;
OM_uint32 offset;
OM_uint32 oidl;
-
- tok=ename->value;
-
- /*
- * Check that ename is long enough for all of the fixed length
+
+ tok = ename->value;
+
+ /*
+ * Check that ename is long enough for all of the fixed length
* header, and that the initial ID bytes are correct
*/
- if (ename->length<6 || memcmp(tok,"\x04\x01", 2)!=0)
+ if (ename->length < 6 || memcmp(tok, "\x04\x01", 2) != 0)
return GSS_S_FAILURE;
/*
* string is long enough and that the OID matches that in our context
*/
if (tok[4] != 0x06 || tok[5] != oidl ||
- ename->length < oidl+6 ||
- !ssh_gssapi_check_oid(ctx,tok+6,oidl))
+ ename->length < oidl+6 ||
+ !ssh_gssapi_check_oid(ctx, tok+6, oidl))
return GSS_S_FAILURE;
offset = oidl+6;
-
+
if (ename->length < offset+4)
return GSS_S_FAILURE;
-
+
name->length = GET_32BIT(tok+offset);
offset += 4;
-
+
if (ename->length < offset+name->length)
- return GSS_S_FAILURE;
-
- name->value = xmalloc(name->length);
- memcpy(name->value,tok+offset,name->length);
-
+ return GSS_S_FAILURE;
+
+ name->value = xmalloc(name->length+1);
+ memcpy(name->value, tok+offset,name->length);
+ ((char *)name->value)[name->length] = 0;
+
return GSS_S_COMPLETE;
-}
+}
/* Extract the client details from a given context. This can only reliably
* be called once for a context */
-/* Priviledged (called from accept_secure_ctx) */
+/* Privileged (called from accept_secure_ctx) */
OM_uint32
ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
{
int i = 0;
gss_buffer_desc ename;
-
+
client->mech = NULL;
while (supported_mechs[i]->name != NULL) {
i++;
}
- if (client->mech == NULL)
+ if (client->mech == NULL)
return GSS_S_FAILURE;
-
- if ((ctx->major = gss_display_name(&ctx->minor, ctx->client,
+
+ if ((ctx->major = gss_display_name(&ctx->minor, ctx->client,
&client->displayname, NULL))) {
- ssh_gssapi_error(ctx);
- return (ctx->major);
+ ssh_gssapi_error(ctx);
+ return (ctx->major);
}
-
- if ((ctx->major = gss_export_name(&ctx->minor, ctx->client,
+
+ if ((ctx->major = gss_export_name(&ctx->minor, ctx->client,
&ename))) {
ssh_gssapi_error(ctx);
return (ctx->major);
}
-
+
if ((ctx->major = ssh_gssapi_parse_ename(ctx,&ename,
&client->exportedname))) {
return (ctx->major);
return (ctx->major);
}
-/* As user - called through fatal cleanup hook */
+/* As user - called on fatal/exit */
void
-ssh_gssapi_cleanup_creds(void *ignored)
+ssh_gssapi_cleanup_creds(void)
{
if (gssapi_client.store.filename != NULL) {
/* Unlink probably isn't sufficient */
{
if (gssapi_client.mech && gssapi_client.mech->storecreds) {
(*gssapi_client.mech->storecreds)(&gssapi_client);
- if (options.gss_cleanup_creds)
- fatal_add_cleanup(ssh_gssapi_cleanup_creds, NULL);
} else
debug("ssh_gssapi_storecreds: Not a GSSAPI mechanism");
}
if (gssapi_client.store.envvar != NULL &&
gssapi_client.store.envval != NULL) {
-
debug("Setting %s to %s", gssapi_client.store.envvar,
- gssapi_client.store.envval);
+ gssapi_client.store.envval);
child_set_env(envp, envsizep, gssapi_client.store.envvar,
- gssapi_client.store.envval);
+ gssapi_client.store.envval);
}
}
-/* Priviledged */
+/* Privileged */
int
ssh_gssapi_userok(char *user)
{
+ OM_uint32 lmin;
+
if (gssapi_client.exportedname.length == 0 ||
gssapi_client.exportedname.value == NULL) {
debug("No suitable client data");
return 0;
}
if (gssapi_client.mech && gssapi_client.mech->userok)
- return ((*gssapi_client.mech->userok)(&gssapi_client, user));
+ if ((*gssapi_client.mech->userok)(&gssapi_client, user))
+ return 1;
+ else {
+ /* Destroy delegated credentials if userok fails */
+ gss_release_buffer(&lmin, &gssapi_client.displayname);
+ gss_release_buffer(&lmin, &gssapi_client.exportedname);
+ gss_release_cred(&lmin, &gssapi_client.creds);
+ memset(&gssapi_client, 0, sizeof(ssh_gssapi_client));
+ return 0;
+ }
else
debug("ssh_gssapi_userok: Unknown GSSAPI mechanism");
return (0);
}
+/* Privileged */
+OM_uint32
+ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
+{
+ ctx->major = gss_verify_mic(&ctx->minor, ctx->context,
+ gssbuf, gssmic, NULL);
+
+ return (ctx->major);
+}
+
#endif
andersk / openssh.git / blobdiff